CAPABILITY · VAULT

Store secrets once, inject them at runtime, never in a prompt

Per-tenant encrypted secrets are injected into a run when a step needs them — and never enter the model, the logs, or the skill corpus.

Start free Read the docs

POST /api/v1/secrets

Built for the cost wedge

What credential vault does

Agents need credentials to do authorized work, but credentials must never reach a model or a shared skill. Twin stores secrets in a per-tenant encrypted vault and injects them only at the moment a step needs them, inside the isolated browser session — keeping them out of prompts, traces, and the corpus.

Encrypted, per tenant

Secrets are stored encrypted and isolated per tenant under default-deny RLS — no cross-tenant access, ever.

Runtime injection only

A credential is injected into the browser session exactly when a step needs it, not held in the plan or the prompt.

Never in the model or corpus

Secrets are stripped before anything is sent to a model, written to logs, or promoted to the shared skill corpus.

Pairs with handoff

For one-time codes and approvals, the vault works with human-in-the-loop handoff so people stay the control point.

How it works

From a goal to deterministic action

1StoreAdd a secret via the API or dashboard; it is encrypted and scoped to your tenant.
2ReferenceA skill references a secret by name, never by value.
3Inject at runtimeWhen a step needs the secret, it is injected into the isolated browser session.
4Strip everywhere elseThe value is excluded from prompts, model calls, logs, and the skill corpus.

In practice

See it on a real call

Secrets are referenced by name; the value is injected at runtime and never enters the model or logs.

secrets.tsts

// Store once, encrypted, per tenant
await twin.secrets.set("acme_password", process.env.ACME_PW);

// Reference by name in a run — value never leaves the vault
await twin.agents.run({
  goal: "Log in and download this month's invoices",
  url: "https://acme.example.com",
  secrets: ["acme_password"],
});

api.twin-browser.com

Credential vault

Storedone
Referencerunning
Inject at runtimequeued
Strip everywhere elsequeued

At a glance

What credential vault is

The facts — how it works, what it costs, and the signal you get back on every call.

Property	Twin Browser
Storage	Encrypted, per tenant
Isolation	Default-deny RLS
Reference	By name, not value
Injection	Runtime, in-session
Excluded from	Prompts, logs, corpus
Pairs with	Human-in-the-loop handoff

FAQ

Credential vault — common questions

Do my credentials ever reach the model?

No. Secrets are referenced by name and injected into the browser session at runtime. They are stripped from prompts, model calls, logs, and the shared corpus.

How are secrets isolated between tenants?

The vault is per tenant under default-deny row-level security, so no tenant can read another's secrets.

How are one-time codes handled?

For MFA and approvals, the vault works with human-in-the-loop handoff: a person supplies the code at the moment the step needs it.

Go deeper

Human-in-the-loop handoff Cross-tenant skill corpus Security Glossary: Credential vault

More capabilities

Make every run cheaper than the last.

Start free, compile your first skill, and watch the marginal cost per run trend toward zero as your agents reuse what they have already learned.